Blocking USB Devices

reuvygroovy 781 Reputation points
2023-07-11T06:01:10.8666667+00:00

We are connecting a USB Keyboard and mouse to our computer, and it is blocked by our GPO. Our GPO allows hardware devices based on Class ID, but when we view the device info within Device Manager (and also as seen in the Event Log) the device has no cataloged information

The installation of this device is forbidden by system policy.

Subject:
                Security ID:                            SYSTEM
                Account Name:                     COMPUTER$
                Account Domain:                  MMI
                Logon ID:                               0x3E7

Device ID:               USB\VID_17EF&PID_6099\7&19BF9627&0&3

Device Name:        Lenovo Traditional USB Keyboard

Class ID:                 {00000000-0000-0000-0000-000000000000}

Class Name:           

Hardware IDs:        
                                USB\VID_17EF&PID_6099&REV_0114
                                USB\VID_17EF&PID_6099
                                
                                

Compatible IDs:    
                                USB\DevClass_00&SubClass_00&Prot_00
                                USB\DevClass_00&SubClass_00
                                USB\DevClass_00
                                USB\COMPOSITE
                                
                                

Location Information:          
                                Port_#0003.Hub_#0003
                                


The installation of this device is forbidden by system policy.

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,766 Reputation points
    2023-07-11T15:06:38.5566667+00:00

    Hello there,

    To block USB devices using Group Policy Object (GPO) in a Windows environment, you can follow these steps:

    Open the Group Policy Management console. You can access it by pressing Windows Key + R, typing "gpmc.msc," and pressing Enter.

    Create or select a Group Policy Object to apply the USB device blocking policy. You can either create a new GPO or edit an existing one.

    Right-click on the selected GPO and choose "Edit" from the context menu. This will open the Group Policy Management Editor.

    In the Group Policy Management Editor, navigate to the following location: Computer Configuration → Policies → Administrative Templates → System → Removable Storage Access.

    On the right-hand side, you will find various policies related to removable storage access. Look for the policy called "All Removable Storage classes: Deny all access" and double-click on it.

    In the policy settings window, select the "Enabled" option and click "OK."

    Close the Group Policy Management Editor.

    Apply the GPO to the desired organizational unit (OU) or Active Directory group containing the computers you want to block USB devices on. You can do this by linking the GPO to the appropriate OU or security group.

    Wait for Group Policy to propagate to the affected computers or manually force a Group Policy update on the target computers using the command "gpupdate /force" in the command prompt.

    After applying the GPO and the Group Policy update, USB devices should be blocked on the computers affected by the policy. Users will not be able to access or use USB storage devices unless they have administrative privileges to override the policy.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.